Ivanti recently has identified two zero-day vulnerabilities, designated by CVE-2024-21888 and CVE-2024-21893, in their products Ivanti Connect Secure and Ivanti Policy Secure. According to reports, the impact of these vulnerabilities is significant, with the potential for widespread security breaches.
The first vulnerability (CVE-2024-2188) affects the web components of Ivanti Connect Secure and Ivanti Policy Secure, and allows a threat actor to elevate their privileges to an administrator. This type of escalation can have far-reaching and potentially catastrophic consequences for affected organizations.
The second vulnerability, CVE-2024-21888, affects the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. The vulnerability allows threat actors to access specific unrestricted resources without proper authentication. This represents a severe security risk, as unauthorized access to resources could lead to data breaches or system compromise.
In light of these vulnerabilities, Ivanti has taken immediate action by releasing a security advisory urging all customers to patch these vulnerabilities as soon as possible. Failure to do so can leave organizations vulnerable to the exploitation of these zero-day vulnerabilities.
Furthermore, researchers from Unit 42 have discovered that Ivanti Connect Secure and Policy Secure have been exposed in 145 countries, with over 28,000 instances. Additionally, the security of Ivanti Connect Secure and Policy Secure devices was breached in 44 different countries, affecting 610 instances. This widespread exposure underlines the urgent need for organizations to address these vulnerabilities to prevent further exploitation.
Since January 13, 2024, there has been a significant surge in the volume of IP addresses scanning the vulnerability. Researchers also observed a significant surge of 4,120 targeted attacks on January 20, 2024, all intended to exploit the particular vulnerability. The rise in scanning activity and targeted attacks further emphasize the critical nature of these vulnerabilities and the need for proactive measures to mitigate potential threats.
The report also noted that most observed attacks appeared to originate from the U.S. region, accounting for 74% of all attacks, followed by the European Union and Canada. However, attackers might leverage proxy servers and VPNs in those countries to hide their physical locations. This highlights the complex and multifaceted nature of cyberattacks, which can often involve tactics aimed at obfuscating the origin of malicious activity.
Given the severity and widespread nature of these vulnerabilities, organizations are strongly advised to heed Ivanti’s security advisory and promptly install the necessary patches. Additionally, organizations should stay vigilant and continue to monitor their systems for any signs of suspicious activity. With cyber threats on the rise, it is paramount for organizations to prioritize cybersecurity and take proactive measures to defend against potential attacks.